X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/f5071c422df06800e59bb1be0218c0f6ec2ba831..9e78f1af54f2c8b7abfbe6ffe2dfbd26e98672c2:/Docs/manual.html diff --git a/Docs/manual.html b/Docs/manual.html index 59d6dbc..12180ea 100644 --- a/Docs/manual.html +++ b/Docs/manual.html @@ -52,21 +52,22 @@ H3 {
  • Interception
  • Authentication
  • Plugins
  • -
  • Walled Garden
  • +
  • Walled Garden
  • +
  • Filtering
  • Clustering
  • Routing
  • Performance
  • Overview

    -l2tpns is half of a complete L2TP implementation. It supports only the -LNS side of the connection.

    +l2tpns a complete L2TP implementation. It supports the LAC, LNS and + PPPOE server.

    L2TP (Layer 2 Tunneling Protocol) is designed to allow any layer 2 protocol (e.g. Ethernet, PPP) to be tunneled over an IP connection. l2tpns implements PPP over L2TP only.

    -There are a couple of other L2TP imlementations, of which l2tpd is probably the most popular. l2tpd also will handle being either end of a tunnel, and is a lot more configurable than l2tpns. However, due to the way it works, @@ -183,6 +184,18 @@ the same as the LAC, or authentication will fail. Only actually be used if the LAC requests authentication. +

  • l2tp_mtu (int)
    +MTU of interface for L2TP traffic (default: 1500). Used to set link +MRU and adjust TCP MSS. +
  • + +
  • ppp_restart_time (int)
    +ppp_max_configure (int)
    +ppp_max_failure (int)
    +PPP counter and timer values, as described in §4.1 of +RFC1661. +
  • +
  • primary_dns (ip address)
  • secondary_dns (ip address)
    Whenever a PPP connection is established, DNS servers will be sent to the @@ -190,51 +203,75 @@ user, both a primary and a secondary. If either is set to 0.0.0.0, then that one will not be sent.
  • -
  • save_state (boolean)
    -When l2tpns receives a STGTERM it will write out its current -ip_address_pool, session and tunnel tables to disk prior to exiting to -be re-loaded at startup. The validity of this data is obviously quite -short and the intent is to allow an sessions to be retained over a -software upgrade. -
  • -
  • primary_radius (ip address)
  • secondary_radius (ip address)
    -Sets the radius servers used for both authentication and accounting. -If the primary server does not respond, then the secondary radius -server will be tried. +Sets the RADIUS servers used for both authentication and accounting. +If the primary server does not respond, then the secondary RADIUS +server will be tried.
    +Note: in addition to the source IP address and +identifier, the RADIUS server must include the source +port when detecting duplicates to supress (in order to cope with a +large number of sessions comming on-line simultaneously l2tpns uses a +set of udp sockets, each with a seperate identifier).
  • primary_radius_port (short)
  • secondary_radius_port (short)
    -Sets the authentication ports for the primary and secondary radius +Sets the authentication ports for the primary and secondary RADIUS servers. The accounting port is one more than the authentication -port. If no radius ports are given, the authentication port defaults +port. If no RADIUS ports are given, the authentication port defaults to 1645, and the accounting port to 1646.
  • radius_accounting (boolean)
    -If set to true, then radius accounting packets will be sent. This +If set to true, then RADIUS accounting packets will be sent. This means that a Start record will be sent when the session is successfully authenticated, and a Stop record will be sent when the session is closed.
  • radius_secret (string)
    -This secret will be used in all radius queries. If this is not set then -radius queries will fail. +This secret will be used in all RADIUS queries. If this is not set then +RADIUS queries will fail. +
  • + +
  • radius_authtypes (string)
    +A comma separated list of supported RADIUS authentication methods +(pap or chap), in order of preference (default pap). +
  • + +
  • radius_dae_port (short)
    +Port for DAE RADIUS (Packet of Death/Disconnect, Change of Authorization) +requests (default: 3799). +
  • + +
  • allow_duplicate_users (boolean)
    +Allow multiple logins with the same username. If false (the default), +any prior session with the same username will be dropped when a new +session is established.
  • bind_address (ip address)
    -When the tun interface is created, it is assigned the address -specified here. If no address is given, 1.1.1.1 is used. Packets -containing user traffic should be routed via this address if given, -otherwise the primary address of the machine. +It's the listen address of the l2tp udp protocol sent and received +to LAC. This address is also assigned to the tun interface if no +iftun_address is specified. Packets containing user traffic should be +routed via this address if given, otherwise the primary address of the +machine. +
  • + +
  • iftun_address (ip address)
    +This parameter is used when you want a tun interface address different +from the address of "bind_address" (For use in cases of specific configuration). +If no address is given to iftun_address and bind_address, 1.1.1.1 is used. +
  • + +
  • tundevicename (string)
    +Name of the tun interface (default: "tun0").
  • peer_address (ip address)
    Address to send to clients as the default gateway. - +
  • send_garp (boolean)
    Determines whether or not to send a gratuitous ARP for the @@ -276,10 +313,6 @@ second. Even if this is disabled, you can see this information by running the uptime command on the CLI.
  • -
  • cleanup_interval (int)
    -Interval between regular cleanups (in seconds). -
  • -
  • multi_read_count (int)
    Number of packets to read off each of the UDP and TUN fds when returned as readable by select (default: 10). Avoids incurring the @@ -301,6 +334,13 @@ Keep all pages mapped by the l2tpns process in memory. Maximum number of host unreachable ICMP packets to send per second.
  • +
  • packet_limit (int>
    +Maximum number of packets of downstream traffic to be handled each +tenth of a second per session. If zero, no limit is applied (default: +0). Intended as a DoS prevention mechanism and not a general +throttling control (packets are dropped, not queued). +
  • +
  • cluster_address (ip address)
    Multicast cluster address (default: 239.192.13.13). See the section on Clustering for more information. @@ -310,6 +350,10 @@ on Clustering for more information. Interface for cluster packets (default: eth0).
  • +
  • cluster_mcast_ttl (int)
    +TTL for multicast packets (default: 1). +
  • +
  • cluster_hb_interval (int)
    Interval in tenths of a second between cluster heartbeat/pings.
  • @@ -319,8 +363,95 @@ Cluster heartbeat timeout in tenths of a second. A new master will be elected when this interval has been passed without seeing a heartbeat from the master. + +
  • cluster_master_min_adv (int)
    +Determines the minumum number of up to date slaves required before the +master will drop routes (default: 1). +
  • + +
  • echo_timeout (int)
    +Time between last packet sent and LCP ECHO generation +(default: 10 (seconds)). +
  • + +
  • idle_echo_timeout (int)
    +Drop sessions who have not responded within idle_echo_timeout seconds +(default: 240 (seconds)) +
  • + +
  • auth_tunnel_change_addr_src (boolean)
    +This parameter authorize to change the source IP of the tunnels l2tp. +This parameter can be used when the remotes BAS/LAC are l2tpns server +configured in cluster mode, but that the interface to remote LNS are +not clustered (the tunnel can be coming from different source IP) +(default: no). +
  • + +
  • disable_sending_hello (boolean)
    +Disable l2tp sending HELLO message for Apple compatibility. +Some OS X implementation of l2tp no manage the L2TP "HELLO message". +(default: no). +
  • + +

    LAC configuration

    + + +

    A static REMOTES LNS configuration can be entered by the command:

    +
    setforward MASK IP PORT SECRET
    + +where MASK specifies the mask of users who have forwarded to +remote LNS (ex: "/friendISP@company.com").
    +where IP specifies the IP of the remote LNS (ex: "66.66.66.55").
    +where PORT specifies the L2TP Port of the remote LNS +(Normally should be 1701) (ex: 1701).
    +where SECRET specifies the secret password the remote LNS (ex: mysecret).
    +
    +The static Remote LNS configuration can be used when the friend ISP not +have a proxied Radius.
    +If the proxied Radius is used, It will return the RADIUS attributes:
    + Tunnel-Type: 1 = L2TP
    + Tunnel-Medium-Type: 1 = IPv4
    + Tunnel-Password: 1 = "LESECRETL2TP"
    + Tunnel-Server-Endpoint: 1 = "88.xx.xx.x1"
    + Tunnel-Assignment-Id: 1 = "friendisp_lns1"
    + Tunnel-Type: 2 = L2TP
    + Tunnel-Medium-Type: 2 = IPv4
    + Tunnel-Password: 2 = "LESECRETL2TP"
    + Tunnel-Server-Endpoint: 2 = "88.xx.xx.x2"
    + Tunnel-Assignment-Id: 2 = "friendisp_lns2"
    + +

    PPPOE configuration

    + + + +

    BGP configuration

    +

    BGP routing configuration is entered by the command: The routing configuration section is entered by the command

    router bgp as
    @@ -338,6 +469,42 @@ Where peer specifies the BGP neighbour as either a hostname or IP address, as is the remote AS number and keepalive, hold are the timer values in seconds. +

    Named access-lists are configured using one of the commands: +

    +
    ip access-list standard name +
    ip access-list extended name +
    + +

    Subsequent lines prefixed with permit or deny +define the body of the access-list. Standard access-list syntax: +

    +
    {permit|deny} + {host|source source-wildcard|any} + [{host|destination destination-wildcard|any}] +
    + +Extended access-lists: + +
    +

    {permit|deny} ip + {host|source source-wildcard|any} + {host|destination destination-wildcard|any} [fragments] +

    {permit|deny} udp + {host|source source-wildcard|any} + [{eq|neq|gt|lt} port|range from to] + {host|destination destination-wildcard|any} + [{eq|neq|gt|lt} port|range from to] + [fragments] +

    {permit|deny} tcp + {host|source source-wildcard|any} + [{eq|neq|gt|lt} port|range from to] + {host|destination destination-wildcard|any} + [{eq|neq|gt|lt} port|range from to] + [{established|{match-any|match-all} + {+|-}{fin|syn|rst|psh|ack|urg} + ...|fragments] +

    +

    users

    Usernames and passwords for the command-line interface are stored in @@ -500,19 +667,19 @@ IP Address Used Session User
  • show radius
    -Show a summary of the in-use radius sessions. This list should not be very -long, as radius sessions should be cleaned up as soon as they are used. The +Show a summary of the in-use RADIUS sessions. This list should not be very +long, as RADIUS sessions should be cleaned up as soon as they are used. The columns listed are: - + - -
    RadiusThe ID of the radius request. This is - sent in the packet to the radius server for identification.
    RadiusThe ID of the RADIUS request. This is + sent in the packet to the RADIUS server for identification.
    StateThe state of the request - WAIT, CHAP, AUTH, IPCP, START, STOP, NULL.
    SessionThe session ID that this radius +
    SessionThe session ID that this RADIUS request is associated with
    RetryIf a response does not appear to the request, it will retry at this time. This is a unix timestamp.
    TryRetry count. The radius request is +
    TryRetry count. The RADIUS request is discarded after 3 retries.

    @@ -553,7 +720,7 @@ current session for that username will be forwarded to the given host/port. Specify no snoop username to disable interception for the session.

    -If you want interception to be permanent, you will have to modify the radius +If you want interception to be permanent, you will have to modify the RADIUS response for the user. See Interception.

  • @@ -564,7 +731,7 @@ session. Specify no throttle username to disable throttling for the current session.

    If you want throttling to be permanent, you will have to modify the -radius response for the user. See Throttling. +RADIUS response for the user. See Throttling.

    @@ -642,16 +809,15 @@ killall -HUP l2tpns The signals understood are: -

    +
    +
    SIGHUP
    Reload the config from disk and re-open log file.
    +
    SIGTERM, SIGINT
    Stop process. Tunnels and sessions are not +terminated. This signal should be used to stop l2tpns on a +cluster node where there are other machines to +continue handling traffic.
    +
    SIGQUIT
    Shut down tunnels and sessions, exit process when +complete.
    +

    Throttling

    @@ -660,7 +826,7 @@ desire. You must first enable the global setting throttle_speed before this will be activated.

    If you wish a session to be throttled permanently, you should set the -Vendor-Specific radius value Cisco-Avpair="throttle=yes", which +Vendor-Specific RADIUS value Cisco-Avpair="throttle=yes", which will be handled by the autothrottle module.

    Otherwise, you can enable and disable throttling an active session using @@ -684,7 +850,7 @@ and no snoop username CLI commands. These will enable interception immediately.

    If you wish the user to be intercepted whenever they reconnect, you will -need to modify the radius response to include the Vendor-Specific value +need to modify the RADIUS response to include the Vendor-Specific value Cisco-Avpair="intercept=yes". For this feature to be enabled, you need to have the autosnoop module loaded.

    @@ -694,11 +860,11 @@ Whenever a session connects, it is not fully set up until authentication is completed. The remote end must send a PPP CHAP or PPP PAP authentication request to l2tpns.

    -This request is sent to the radius server, which will hopefully respond with +This request is sent to the RADIUS server, which will hopefully respond with Auth-Accept or Auth-Reject.

    If Auth-Accept is received, the session is set up and an IP address is -assigned. The radius server can include a Framed-IP-Address field in the +assigned. The RADIUS server can include a Framed-IP-Address field in the reply, and that address will be assigned to the client. It can also include specific DNS servers, and a Framed-Route if that is required.

    @@ -708,7 +874,7 @@ walled garden module is loaded, in which case the user still receives the PPP AUTHACK, but their session is flagged as being a garden'd user, and they should not receive any service.

    -The radius reply can also contain a Vendor-Specific attribute called +The RADIUS reply can also contain a Vendor-Specific attribute called Cisco-Avpair. This field is a freeform text field that most Cisco devices understand to contain configuration instructions for the session. In the case of l2tpns it is expected to be of the form @@ -758,39 +924,39 @@ supplied structure: - - @@ -799,12 +965,12 @@ supplied structure: seriously slow down the system. @@ -813,12 +979,12 @@ supplied structure: seriously slow down the system. @@ -827,9 +993,9 @@ supplied structure: you do is reentrant. @@ -837,10 +1003,10 @@ supplied structure: session is now ready to handle traffic. @@ -848,25 +1014,37 @@ supplied structure: This may be called multiple times for the same session. - + + + + @@ -875,21 +1053,13 @@ supplied structure: required.
    EventDescriptionParameters
    pre_authThis is called after a radius response has been + This is called after a RADIUS response has been received, but before it has been processed by the code. This will allow you to modify the response in some way. -
      -
    • t - Tunnel ID
    • -
    • s - Session ID
    • -
    • username
    • -
    • password
    • -
    • protocol (0xC023 for PAP, 0xC223 for CHAP)
    • -
    • continue_auth - Set to 0 to stop processing authentication modules
    • -
    +
    +
    t
    Tunnel +
    s
    Session +
    username +
    password +
    protocol
    0xC023 for PAP, 0xC223 for CHAP +
    continue_auth
    Set to 0 to stop processing authentication modules +
    post_authThis is called after a radius response has been + This is called after a RADIUS response has been received, and the basic checks have been performed. This is what the garden module uses to force authentication to be accepted. -
      -
    • t - Tunnel ID
    • -
    • s - Session ID
    • -
    • username
    • -
    • auth_allowed - This is already set to true or +
      +
      t
      Tunnel +
      s
      Session +
      username +
      auth_allowed
      This is already set to true or false depending on whether authentication has been allowed so far. You can set this to 1 or 0 to force - allow or disallow authentication
    • -
    • protocol (0xC023 for PAP, 0xC223 for CHAP)
    • -
    + allow or disallow authentication +
    protocol
    0xC023 for PAP, 0xC223 for CHAP +
    packet_rx -
      -
    • t - Tunnel ID
    • -
    • s - Session ID
    • -
    • buf - The raw packet data
    • -
    • len - The length of buf
    • -
    +
    +
    t
    Tunnel +
    s
    Session +
    buf
    The raw packet data +
    len
    The length of buf +
    packet_tx -
      -
    • t - Tunnel ID
    • -
    • s - Session ID
    • -
    • buf - The raw packet data
    • -
    • len - The length of buf
    • -
    +
    +
    t
    Tunnel +
    s
    Session +
    buf
    The raw packet data +
    len
    The length of buf +
    timer -
      -
    • time_now - The current unix timestamp
    • -
    +
    +
    time_now
    The current unix timestamp +
    new_session -
      -
    • t - Tunnel ID
    • -
    • s - Session ID
    • -
    +
    +
    t
    Tunnel +
    s
    Session +
    kill_session -
      -
    • t - Tunnel ID
    • -
    • s - Session ID
    • -
    +
    +
    t
    Tunnel +
    s
    Session +
    radius_responseThis is called whenever a radius response includes a + This is called whenever a RADIUS response includes a Cisco-Avpair value. The value is split up into key=value pairs, and each is processed through all modules. -
      -
    • t - Tunnel ID
    • -
    • s - Session ID
    • -
    • key
    • -
    • value
    • -
    +
    +
    t
    Tunnel +
    s
    Session +
    key +
    value +
    +
    radius_resetThis is called whenever a RADIUS CoA request is + received to reset any options to default values before + the new values are applied. + +
    +
    t
    Tunnel +
    s
    Session +
    control -
      -
    • buf - The raw packet data
    • -
    • l - The raw packet data length
    • -
    • source_ip - Where the request came from
    • -
    • source_port - Where the request came from
    • -
    • response - Allocate a buffer and put your response in here
    • -
    • response_length - Length of response
    • -
    • send_response - true or false whether a response - should be sent. If you set this to true, you must - allocate a response buffer.
    • -
    • type - Type of request (see nsctl.c)
    • -
    • id - ID of request
    • -
    • data - I'm really not sure
    • -
    • data_length - Length of data
    • -
    +
    +
    iam_master
    Cluster master status +
    argc
    The number of arguments +
    argv
    Arguments +
    response
    Return value: NSCTL_RES_OK or NSCTL_RES_ERR +
    additional
    Extended response text +
    @@ -901,7 +1071,7 @@ Walled Garden is implemented so that you can provide perhaps limited service to sessions that incorrectly authenticate.

    Whenever a session provides incorrect authentication, and the -radius server responds with Auth-Reject, the walled garden module +RADIUS server responds with Auth-Reject, the walled garden module (if loaded) will force authentication to succeed, but set the flag garden in the session structure, and adds an iptables rule to the garden_users chain to force all packets for the session's IP @@ -926,6 +1096,14 @@ command: iptables -t nat -L garden -nvx +

    Filtering

    + +Sessions may be filtered by specifying Filter-Id attributes in +the RADIUS reply. filter.in specifies that the named +access-list filter should be applied to traffic from the +customer, filter.out specifies a list for traffic to the +customer. +

    Clustering

    An l2tpns cluster consists of of one* or more servers configured with